PayPal Security Loophole

Banknote - 50.000.000 Mark - Deutsches Reich - 25.07.1923 Public Domain

Criminals see PayPal related messages as an easy route for fraud.  Many such requests are quick to spot as they do not relate to any known purchase.  Another tell-tale sign is that the sender’s details and any web links within the message do not follow the expected PayPal URL format although scammers often go a long way towards imitating this.

One way that fraudsters avoid being revealed through the message header code or URL text is to work from within genuine PayPal account.  This could be one that they own or a compromised account that they have gained access to.  The receiver of the message will be reassured that any email header and PayPal links are all genuine (because they are) and following it through will lead to details of an authentic transaction request on PayPal. The trick is to put the key to their scam within the ‘note’ section of a genuine invoice or request for funds.   This section is designed for messages about the goods exchanged but is not strongly regulated by PayPal.  A genuine use might be for the address to send goods but in this scam it will include details on how to complain if the transaction seems to be in error. These contact details will not lead to PayPal but some portal controlled by the fraudster.

The hook revolves around sending a PayPal invoice or request for funds that is clearly in error and the receiver reporting the incident to PayPal. The contact web link or phone number listed within the transaction note is the entry into the fraudster’s system.  The mark will report the PayPal transaction to avoid any automated transfer of funds but instead will be tricked into disclosing personal details or downloading malware.  In this example from KrebsonSecurity a spoof call centre attempted to have the mark download a remote administration tool.

PayPal recognise that scammers attempt to manipulate their systems and offer advice to users who see suspicious activity.  In cases where a request appears to be from PayPal the receiver should search for contact details for PayPal on-line and not rely on any embedded within the original message.  The original message should be forwarded to who will investigate the source account.

More from Security


eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post


Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus